Whether large or small approach information security is a daunting task. Especially if your staff are not experts in the field. You have an understanding of the importance of information security but the investment into the development can be costly, time could be saved if you had some sort of guide to the this. Thankfully in your organization there is already one process expert you can turn to, your COO or Operations Director. Working in tandem with your CIO some excellent protective measures can be made. For this article we will provide some best practices for getting you started on designing your processes for security. This will include the intersections of process and security, design and flow principles, and onboarding tips.
The Perfect Match: Process & Security
Most organizational problems do not originate in people but rather in process, control mechanisms, and structure. This is for all operations before we even bring in the element of security. Great managers and leaders recognize this and often act proactively to prevent process failures. Process are developed to achieve the mission of the organization; thus the role of security processes is to protect not just information, but those other processes that allow the mission to happen. Security happens at the intersection of technology, people, and process, so the relationship to process management is not a foreign one. However, as any process manager knows, people and technology working to realize goals are what processes are shaped around. So when designing security processes we need to keep in mind this is not the design of how to use technology, it is the design of how to sustainably keep the mission going.
Three Prong Principles: Security, Flow, and Structure
With the understanding that security process design is for the continuation of the mission, this means it is cross-functional and must consider operations in every department. So follow these principles to not get overwhelmed in your efforts to achieve a more secure environment.
When engaging in process development it is important to understand that people don’t like change. If a new process has too much of an impact on everyday work, it will fail at the onboarding stage. Which creates vulnerability via people. To avoid this ask yourself what are the most critical processes to achieving the mission, and what are the sub-processes that support the primary ones? Once you’re able to gather this information analyze where in the process there are security vulnerabilities. Develop processes around the security by design principles merged with the goal in mind of shifting behaviour from as-is to your new secure process.
Process First, Tech Later
Have you ever been in a situation where there were grand promises made about what an amazing technology was going to do for your worklife. Only to later realize not much changed, it may have even got more complicated. This is because technology was laid on top of an as-is process. When designing a new security process it means there needs to be a behavioral process change first, then an automation of that. This is because process design is the first layer of repetition of activity, the automation comes later to support that activity with efficiency.
An example of this would be a remote employee who used to work from their own computer while on personal websites at the same time. Hours were logged manually and validation was a challenge.Their boss realized there was a better way to monitor work. So they installed an operating system on their server and tracked work happening on their machine. This prompts a behavior change where the employee must now login to a remote server to do their work. Now if any additional information technology is added it can be added on the basis of automated monitoring of work being done.
Point-of-Entry for Vendors
When designing for an organization it is inevitable that vendors may need some access to your information. In this case design processes that assigns responsibility to a human point of contact in your organization. This is a common failure in process for even customer service, so imagine when designing for security that a vendor has unmonitored access to company information. It is a security risk that has breached some of the largest firms in the world such as Target, Goodwill, and Home Depot. Make sure this does not happen to you. Work with the operations director to understand who would be best equipped to monitor vendor activities in your server.
Security-by-Design (we could not leave this out.)
In the context of security, a quality process will beas secure as possible from the start. As a reminder the core of information security is in confidentiality, integrity, and availability. The security-by-design framework was built on these three pillars. Merged with the operations side of process design this will ensure layers of security with both people and technology. The security-by-design principles are:
Principle of Least Privilege:
Access to information and resources are limited to a need-to-know basis. Users operate on a minimal amount of privileges. This principle should apply without discrimination regardless of title.
When a process or system fails do they become exposed to attack or insider threat? If your answer to that is yes then you need to design sub-processes to ensure that even in a failed state, the main system remains unexposed to threat.
Security is about control and protection, which becomes harder the more complex a system is. Ensure that information systems provide only exactly what is needed in a way that allows for productivity to proceed without bottlenecks. The more complex a system (features, plugins, integrations etc.) is the more exposed it becomes to threat and bypass. The more simple a system, the easier oversight and control of it becomes.
Don’t Accept Obscurity:
Systems dependent on secrecy often will be exposed or rendered obsolete. This is not the most effective or efficient approach towards designing security.
Security needs to be integrated with an operations process and not a hindrance to the continuation of work. For this reason ensure that your security system is user-centric in the sense that it takes into account what their job is and what too much added work will do to their motivation to participate. If this critical people component is not taken into account the exposure to insider threat rises for your organization from negligence and frustration.
Layers upon Layers:
Do not rely on just one mode of defense and any mode is subject to bypass. Security in people’s behaviours are just as important as the supporting technology, it is the first line of defense. You should embed at least two mitigation strategies in the event of a breach to ensure that information data is not accessed by outsiders.
As the world continues to grow in complexity we must be sure to stay close to the roots of security which exists in the behaviours of people. Security involves all of us, which is beyond education. It is grounded in the processes we do to get work done everyday.